How can we improve Azure Networking?

Is it possible to expose Azure blob storage via Application Gateway

Expose Azure blob storage via Application Gateway.

I would like to remove public access for Azure Blob and only make it accessible via virtual network. The Azure Application Gateway will be public facing which does the SSL termination and forwards the request to blob.

This would allow scanning for malicious content via virtual appliances before content is stored in blob.

I believe Application Gateway and Azure Storage integration is reasonable.

Currently Azure CDN cannot act as WAF to drop malicious traffic. In addition, we have better metrics & diagnostic logs for Application Gateway than Azure CDN.

There's no limit to achieving better security for users, so I appreciate if you consider that.
I personally tested AppGw and Azure Storage integrated great by setting "PickHostNameFromBackendAddress" on AppGw. We just do not have PG guarantee with this scenario.

Azure CDN would mean the content is replicated which I do not want. Also with CDN managing SAS tokens is challenging as current documentations says CDN does not respect the SAS restrictions.

So in the mean time if there is no Application Gateway support for what I want to achieve, the fall back would be
API Gateway - Azure Function - Blob Storage ?
and the network traffic between the Azure Function and the Blob can be monitored for maliacious content